Configure Security Response Headers
On this page
Introduction
Goal
Configure HTTP response headers that increase the security of your Bloomreach Experience Manager delivery application.
Background
Certain security-related HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. Examples are HTTP Strict-Transport-Security (HSTS) and Content-Security-Policy. See https://www.owasp.org/index.php/OWASP_Secure_Headers_Project for an overview of available headers, browser compatibility, best practices, etc.
This page explains how to configure additional (security) response headers for your delivery application at virtual host, mount, or sitemap item level.
Configure Response Headers
You can configure any additional HTTP header at virtual host, mount, or sitemap item level by setting the multi-valued String property hst:responseheaders on the appropriate node using the Console.
For example, the YAML snippet below:
configures the following two response headers on the virtual host www.myproject.com (and, implicitly, on all sites mounted under that virtual host):
Similarly, the hst:responseheaders property can be set on an individual mount:
Or even on a single sitemap item: